NULL pointer dereference in kernel in response to NFS traffic
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
linux (Ubuntu) |
Confirmed
|
Undecided
|
Unassigned |
Bug Description
I have a badly behaving NFS client device(an embedded system mounting it's root filesystem off my Ubuntu development machine) which is causing a NULL pointer dereference in the kernel. After this occurs, the NFS server becomes unresponsive. Sending a SIGKILL to the various NFS daemons does not kill the processes. '/etc/init.
Here is the output of dmesg:
[63517.096117] BUG: unable to handle kernel NULL pointer dereference at 0000000000000008
[63517.096127] IP: [<ffffffff8161d
[63517.096136] PGD 0
[63517.096140] Oops: 0000 [#1] SMP
[63517.096144] Modules linked in: nfsv3 rpcsec_gss_krb5 nfsv4 vmnet(OX) vmw_vsock_
[63517.096222] CPU: 0 PID: 1498 Comm: nfsd Tainted: P OX 3.13.0-66-generic #108-Ubuntu
[63517.096226] Hardware name: System manufacturer System Product Name/P9X79 LE, BIOS 4608 12/24/2013
[63517.096229] task: ffff8807ff194800 ti: ffff88003d996000 task.ti: ffff88003d996000
[63517.096231] RIP: 0010:[<
[63517.096237] RSP: 0018:ffff88003d
[63517.096239] RAX: 0000000000000000 RBX: ffff8807e6540000 RCX: 00000000000004f0
[63517.096241] RDX: 0000000000000000 RSI: 0000000000001080 RDI: ffff8807deab4400
[63517.096243] RBP: ffff88003d997bf8 R08: 0000000000000000 R09: 000000000d03f2fc
[63517.096246] R10: 00000000000004c0 R11: 0000000000000004 R12: 0000000000000008
[63517.096248] R13: ffff8807deab4400 R14: 0000000000001078 R15: ffff8807deab4400
[63517.096251] FS: 000000000000000
[63517.096254] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[63517.096256] CR2: 0000000000000008 CR3: 0000000002c0e000 CR4: 00000000001407f0
[63517.096258] Stack:
[63517.096260] ffffffff81616f66 ffffffff81616fb0 ffff8807e6540000 ffff88003d997df8
[63517.096266] 0000000000000000 0000000000001078 ffff8807deab4400 ffff88003d997c60
[63517.096271] ffffffff8168b2ec ffff88003d9ca028 ffff8807e6540070 0000000200000000
[63517.096276] Call Trace:
[63517.096284] [<ffffffff81616
[63517.096289] [<ffffffff81616
[63517.096296] [<ffffffff8168b
[63517.096303] [<ffffffff81696
[63517.096308] [<ffffffff8160f
[63517.096314] [<ffffffff81075
[63517.096319] [<ffffffff81727
[63517.096324] [<ffffffff8160f
[63517.096347] [<ffffffffa0de1
[63517.096353] [<ffffffff8172c
[63517.096375] [<ffffffffa0dee
[63517.096393] [<ffffffffa0def
[63517.096404] [<ffffffffa0e85
[63517.096413] [<ffffffffa0e85
[63517.096418] [<ffffffff8108b
[63517.096423] [<ffffffff8108b
[63517.096428] [<ffffffff81734
[63517.096433] [<ffffffff8108b
[63517.096435] Code: 44 00 00 55 31 c0 48 89 e5 41 57 41 56 41 55 49 89 fd 41 54 41 89 f4 53 48 83 ec 10 8b 77 68 41 89 f6 45 29 e6 0f 84 89 00 00 00 <48> 8b 42 08 48 89 d3 48 85 c0 75 14 0f 1f 80 00 00 00 00 48 83
[63517.096477] RIP [<ffffffff8161d
[63517.096481] RSP <ffff88003d997bc0>
[63517.096483] CR2: 0000000000000008
[63517.096487] ---[ end trace 15884e761cd443a7 ]---
I understand that my NFS client is probably sending malformed data to the NFS server, but this should *never* *ever* result in a NULL pointer dereference in the kernel.
I do not have a capture of the network traffic leading to a crash. Without a ethernet hub or setting up a VM I do not have an easy way to capture it. I can try wireshark or tcpdump, but I'm concerned that the packet which triggers the null-pointer dereference will not make it up the stack, so an independent method of capturing the stream would be the most reliable approach.
1)
# lsb_release -rd
Description: Ubuntu 14.04.3 LTS
Release: 14.04
2)
# apt-cache policy nfs-kernel-server
nfs-kernel-server:
Installed: 1:1.2.8-6ubuntu1.1
Candidate: 1:1.2.8-6ubuntu1.1
Version table:
*** 1:1.2.8-6ubuntu1.1 0
500 http://
100 /var/lib/
1:
500 http://
# apt-cache policy linux-generic
linux-generic:
Installed: (none)
Candidate: 3.13.0.66.72
Version table:
3.13.0.66.72 0
500 http://
500 http://
3.13.0.24.28 0
500 http://
3) NFS should not die. If it does, it should be able to be restarted.
4) NFS died. Kernel dereferenced a null pointer. My dog ate my homework.
affects: | nfs-utils (Ubuntu) → linux (Ubuntu) |
Also this issue is 100% reproducible with my setup, so if you'd like more data, let me know and I will try to accommodate your request.